Before you go out and get the two cisco 501's you may want to look into if your exisiting firewall/network hardware can support VPNs. May help save you some money.Essentially all you would have to ensure is that proper routing is in place. IE the clients connecting to the APs know how to get to your database servers. The best way i would say to sell the idea is to find out why the previous attempt failed and show how this new design counters the previous failures.